Skip to main content
banner image
venafi logo

STARTTLS Everywhere: Properly Configuring Machine Identities for TLS Encryption on Email Servers

STARTTLS Everywhere: Properly Configuring Machine Identities for TLS Encryption on Email Servers

STARTTLS Everywhere: Properly Configuring Machine Identities for TLS Encryption on Email Servers
June 28, 2018 | Scott Carter

The folks at the Electronic Frontier Foundation (EFF) had a vision: to do for email servers what Let’s Encrypt did for web servers. To that end, they launched STARTTLS Everywhere, a new project that provides guidance to server administrators on how to configure email servers to run STARTTLS correctly.

STARTTLS aims to simplify the installation of email encryption by providing an extension of the SMTP email-sending protocol that takes an existing insecure connection and upgrades it to a secure connection using TLS (or SSL) certificates.

In a nutshell, here’s how it works. STARTTLS safeguards email communications by allowing the email servers at both ends of a connection to exchange certificates and set up an encrypted communications channel before sending or receiving emails. Once that process is complete, the sending server transmits the encrypted email which the receiving server then decrypts.

Kevin Bocek, Chief technology strategist at Venafi explains why this is important, “Without STARTTLS, email that flows between servers can be read in transit and the receiving server can be spoofed. This could allow attackers to snoop on email traffic between servers.”

Why is a program like STARTTLS Everywhere so important? In an earlier blog, we reported on an email encryption vulnerability called Efail. In a technical paper, researchers showed how they were able to breach two common end-to-end email encryption methods, S/MIME and PGP.

While STARTTLS is a huge step forward for enterprise data protection and privacy, if it is not configured properly its benefits diminish. Often, STARTTLS will be enabled on am email server, but it will not be configured to validate certificates. In effect, this makes it difficult to ensure the legitimacy of the connection and to be certain that the email cannot be read by other third-party observers.

Improper configuration can lead to a false sense of security with potentially hazardous consequences. Bleeping Computer warns that without the proper configuration, “anyone can interpose himself between two email servers and use an invalid certificate to pose as the recipient or sender, as most email servers fail to verify the provided certificate's authenticity. Furthermore, due to a lapse in STARTTLS' design, STARTTLS-encrypted email communication channels can be downgraded to sending the email message in cleartext, instead of an encrypted form.”

Ensuring proper configuration to avoid the abuse of email encryption is where STARTTLS Everywhere will add a great deal of value. According to EFF, "STARTTLS Everywhere provides software that a sysadmin can run on an email server to automatically get a valid certificate from Let’s Encrypt." EFF continues, "This software can also configure their email server software so that it uses STARTTLS and presents the valid certificate to other email servers."

Kevin Bocek, Chief technology strategist at Venafi, believes this program will have a positive impact on overall machine identity management. “System administrators and security teams will be most interested in the STARTTLS Everywhere program since it removes headaches and misconfigurations that larger security teams have only been able to address as part of their machine identity management programs.”

How secure are the machine identities of your email servers?

Related posts

Like this blog? We think you will love this.
Featured Blog

What is the Automated Certificate Management Environment (ACME) Protocol?

How does it work?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more